SQL injection is a web security vulnerability that replaces the
OWASP (Open Web Application Security Project) Top 10 every year. In shortly,
SQL injection is caused by the fact that the data from the user is directly included in the SQL query.
In the example below, there is a simple login page written in asp language.
FUsername = Request.Form("username")
FPassword = Request.Form("password")
Set RsLogin = SQLConn.Execute("SELECT * FROM Members WHERE username = '" & FUsername & "' AND Password = '" & FPassword & "'")
If RsLogin.EOF AND RsLogin.BOF Then
Session("login") = RsLogin("user_id")
Let’s examine this code.
- It takes the values of the variables “username” and “password” in the first and second lines. In the 4th line, it is placed inside the SQL queries and verify the user.
- In the 6th line, it checks whether the result is blank. If it is empty, it sends the user to the error page in the 7th line.
Let’s try an injection to username and password and examine what happens.
If we change with this code
' or ''='
instead of username and password, we have successfully logged in. Let’s remember the sample code on the above, the 1st and 2nd lines were getting the form value. Let’s put the form values in place ;
SELECT * FROM Members WHERE username = '' OR '' = '' AND Password = '' OR '' = ''
This SQL query will always return correctly and return all members in the “Members” table. This SQL queries mean is bringing null username and null password from the Members table or null equals null! This query returns all records because null will always be equal to null. In other words, when we check whether the record is null or not, the record will be filled. If you have noticed, we used OR so if any logical queries return true, all records are returned. Therefore, when we do this SQL Injection, it will be logged in as the first user in the rotating records. SQL Injection; allows you to manipulate SQL any way you want by entering it from outside the SQL queries.
Check SQL injection on the test site
This is a demonstration site with various vulnerabilities such as SQL injection.
We can test SQLi on the login page with ‘ or ”=’ trick.
We can bypass login page as seen below